Types of Risky Communications You Should Watch Out For

How do you know who your assets are talking to? If you don’t have visibility into risky communications your assets and employees are engaging in, you can’t secure your network and your data. Subsidiaries and strategic suppliers only make this more complicated, because while you don’t generally have direct visibility into their networks, risky behavior can still negatively affect your security posture.

Expanse has developed a new way to approach these problems. We partner with global Internet service providers to join observed Internet traffic data associated with our customers’ network activity with our active sensing data. This gives us a unique, birds’-eye view into the prevalence of certain risky network communications problems. These behaviors have a significant impact on organizations’ security postures.

While every network is different, there are specific categories of network activity that negatively affect your security posture and can precipitate a breach. These categories are:

1. Risky Anonymization Services

Tor is well-known and popular for certain legitimate uses. But it’s probably not something you want on your network because it is often used by malware or for other purposes that violate most organizations’ Acceptable Use Policies.

Similar to Tor, there are also commercial VPN anonymization services that disguise a user’s real IP (and thus their identity). While these services are used less by malware, they still pose a risk because they help employees hide the websites they’re visiting from supervision, and the content on those sites from analysis. This means they could bypass your security controls without you knowing.

Anonymization services make it too easy for employees to operate outside of your security controls and are too easily compromised by malicious actors to be something you want on your network.

2. Anomalous Server Behavior

Clients are human and behave unpredictably. Servers, however, are predictable. They are typically expected to accept inbound connections from the public Internet on certain ports/protocols. Anomalous server behavior should be a clue that something is off.

Deviations from a server’s usual profile can include things like making a lot of outbound connections or connections to unusual ports/protocols. This could indicate a breach or an attempted breach.

Even if no breach has occurred, servers behaving in an anomalous way indicate poor security hygiene that could set you up for a breach in the future.

3. Cryptocurrency Mining

Cryptocurrency mining consumes a lot of power. It can also be considered theft or misuse of corporate resources for personal enrichment. Because some malware performs cryptocurrency mining, it could also be an indication of a breach itself.

Overall, cryptocurrency mining indicates a lack of control over corporate resources and poor visibility into the corporate network. And if you don’t have full visibility into your network, you can’t be certain of your cybersecurity posture.

How to Reduce Risky Communications

Many organizations have strategies to reduce these risky communications. They typically use on-premise tools like firewalls and intrusion prevention systems. These services can be difficult to set up and to make sure you’re getting full coverage on your network. They only work as well as they’re configured, require substantial effort to deploy, and they often won’t cover any unknown assets on your network, since those assets are likely in places where network instrumentation is lacking.

Expanse Edge Behavior

That’s where Expanse Behavior comes in. With Behavior, we join observed Internet traffic data associated with your networks with our active sensing data to identify risky communications. That includes the communications we discussed above — anonymization services, anomalous server behavior, and cryptocurrency mining — as well as other behaviors like communications to OFAC countries or the use of risky peer-to-peer sharing services. Unlike traditional network security solutions, Behavior requires no installation or deployment and can detect risky network traffic even if you didn’t know an asset belonged to you.

To learn more about Behavior, check out our datasheet here: